July - 20238GOVERNMENT CIO OUTLOOKNATIONAL CYBER INTELLIGENCE SHARING NEEDS TO EVOLVE:CYBERSECURITY INFORMATION SHARING IS NO KEEPING PACE WITH THE RISK THAT THREATS POSELester Godsey, Chief, Maricopa CountryByccording to a 2021 Infosec Institute article that shared research conducted by Agari, when credentials were successfully stolen, 20% of those were compromised in less than one hour. In Maricopa County, we regularly see honeyed credentials, and we submit to credential harvesting sites' attempt to log in, sometimes in 15 minutes or less. Additionally, we continue to see targeted phishing campaigns, with live threat actors engaging users in attempts to gain access, data and/or money. With the increased speed in which technology is being used to leverage weaknesses in organizations and the business-fication (think DDOS as a service, etc.) of cyber-attacks, it is imperative that our information sharing capabilities scale accordingly. And therein lies the problem, well one of several. There are a few reasons why we need to evolve the way we share cyber intelligence:Regionality and Sectors Much of how cyber intelligence is shared is based on these two factors. In the case of different sectors, many of the organizational structures in place are based on this. Look at the creation and use of ISACs (Information Sharing and Analysis Centers), which are focused on critical infrastructure sectors. According to the National Council of ISACs there are currently 25 ISACs in existence. Sharing efficacy amongst these ISACs aside, what they have in common is that they are typically limited to their sphere of infrastructure. Is sharing threats with others in the same sector valuable? Absolutely, but sharing and receiving cyber intelligence only amongst similar entities certainly diminishes the scope of inquiry and awareness. This isn't to suggest that most orgs rely on a single source of intelligence when it comes to cyber security but it does point to a limited perspective at best.In terms of regionality, this is something most often experienced by government agencies, especially at the state and local levels. Because there is not a national standard per se for government intelligence (the closest thing to this is the Multi State ISAC or MS-ISAC) many government agencies, especially states, have been forming their own intelligence sharing coalitions. However, much like the other ISACs, this provides a limited perspective of the threat landscape. A great example of this was the recent Super Bowl hosted in Arizona this year. Part of the planning activities included cyber monitoring leading up to and day of the event. What was unusual about this planning was the fact that multiple sectors, ranging from government to transportation to manufacturing to entertainment were all participatory. While the actual day of event was quiet, there was cyber activity leading up to the game and the two sectors who were targeted with the same attack were local government and entertainment (specifics withheld to maintain anonymity). If we had taken the normal ISAC or regional intel sharing approach this correlation between two disparate sectors would've never been discovered or at least discovered a lot later than it was. TimelinessThis is an ongoing struggle between threat actors and defenders and isn't one that is only technology-based. Yes, technology is improving and as such, the speed at which attacks are launched against organizations is increasing with technological improvements. However, threat actors are getting better in terms of workflow and process. They continue to refine processes and then leverage technology, in the form of automation to deliver malicious payloads at scale and speed.AIN MYOPINION
< Page 7 | Page 9 >